KDE Trouble

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in KDE, MySQL, Perl, Ximian Evolution, GnuPG, OpenSLP, Ringtone Tools, LuxMan, and Ethereal.

KDE Problems

Problems have been found in KDE's DCOP server, Konqueror, the dcopidlng script, and KPPP.

The desktop communication protocol authentication daemon in KDE, dcopserver, is reported to be vulnerable to a locally exploitable denial-of-service attack.

The Konqueror web browser is reported to be vulnerable to a phishing-style attack called a homograph attack. A homograph attack uses a web site with a domain name created from international characters that resemble English letters to trick the user into believing the website is a known and trusted one.

The dcopidlng script is supplied with KDE and used during the build process of KDE and some KDE applications. Under some circumstances, the dcopidlng script could be vulnerable to a temporary-file, symbolic-link race condition that could result in arbitrary files being overwritten with the victim's permissions.

KPPP is a telephone dialer and graphical front end for the pppd daemon. By exploiting a file descriptor leak in KPPP, an attacker may be able to control the system's domain name resolution by modifying the content of the /etc/hosts and /etc/resolv.conf files. The problem in KPPP is reported to affect all versions of KDE through 3.1.5. Some Linux distributions execute KPPP (and other X Window applications that require root permissions to run) using a wrapper that protects from these types of attack by closing file descriptors safely. Red Hat Linux is one example of a distribution that uses a wrapper.

The KDE maintainers recommend that all users of KDE upgrade to KDE 3.4 or newer as soon as possible. A possible work around for the KPPP problem is to remove its set user id bit until it has been upgraded.

MySQL

The MySQL database is reported to not properly filter the input of users who have DELETE and INSERT permissions. Under some conditions, this can be exploited to execute arbitrary code on the server with the permissions of the user running MySQL. In addition, a user with CREATE TEMPORARY TABLE permissions may be able to exploit a temporary-file, symbolic-link race condition to write to arbitrary files on the system.

Users should consider upgrading to MySQL 4.0.24 or 4.1.10a.

Perl

A race condition in the Perl programming language's rmtree function in the File::Path module may, under some circumstances, be exploitable by a local attacker to remove or gain read access to arbitrary directories and files. This race condition is reported to affect Perl 5.6.1 and 5.8.4.

Ximian Evolution

The Ximian Evolution email and groupware client will crash when it is used to read certain messages. This problem could be exploited by a remote attacker in a denial-of-service attack by sending the user a carefully crafted message. This problem is reported to affect versions of Evolution through version 2.0.3.

Users should watch their vendors for a patched version of Ximian Evolution.

GnuPG

A problem in GnuPG, the Gnu Privacy Guard, may result (under some conditions) in portions of the plain text of a file encrypted with symmetric encryption being recoverable by a remote attacker. Successfully completing this attack would require a large number of attempts using a source that has the decryption key and will report to the attacker if the integrity check fails. In other words, the attack is only feasible if the victim has an automated system that will respond back to the attacker when an encrypted message fails the integrity check. Also, the attack would only recover the first two bytes of each encrypted block. It is possible that other software that uses the OpenPGP protocol may be vulnerable to this attack.

Concerned users should watch their vendors for a modified version of GnuPG that provides protection against this type of attack.

OpenSLP

OpenSLP is an open source implementation of the Service Location Protocol (SLP). SLP provides information about the existence, location, and configuration of networked services and devices. An audit of OpenSLP by the SuSE Security Team found multiple buffer overflows that could be exploited by a remote attacker using improperly formed SLP packets.

Users should watch their vendors for patched and repaired versions of OpenSLP. SuSE and Mandrake have released repaired versions of OpenSLP.

Ringtone Tools

Ringtone Tools are used to create ring tones for mobile phones. A buffer overflow in the parse_emelody() function of the Ringtone Tools may be exploitable by a remote attacker to execute arbitrary code on the victim's machine if the victim opens a carefully crafted eMelody file.

All affected users should watch their vendors for an updated version of Ringtone Tools and should exercise care in what eMelody files they open.

LuxMan

Buffer overflows in LuxMan, an SVGA console-based Pac-Man clone, can be exploited by a local attacker to gain root permissions.

It is recommended that if the game is not being used its set user id root bit be removed. In addition users should watch their vendors for a repaired version.

Ethereal

Ethereal, a powerful and flexible network protocol analyzer with a graphical interface, is reported to contain several remotely exploitable vulnerabilities. These vulnerabilities may be exploitable by a remote attacker using specifically constructed packets, and could result in arbitrary code being executed with root permissions. The vulnerabilities affect versions of Ethereal earlier than 0.10.10 and include problems in the Etheric, 3GPP2 A11, IAPP, JXTA, and sFlow dissectors; and a problem in the GPRS-LLC if the "ignore cipher bit" is enabled. Code to automate the exploitation of the CDMA A11 dissector has been released to the public.

All users of Ethereal should upgrade to version 0.10.10 or newer as soon as possible. If users are unable to upgrade, they should turn off the affected dissectors.